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Abstract 


Distributed interactions are crucial design aspects to consider in 
modern applications. They can be suitably designed in terms of chore- 
ographies, that are global descriptions of the coordination of several 
distributed parties. Global assertions define contracts for choreogra- 
phies by annotating multiparty session types with logical formulae to 
validate the content of the exchanged messages. The introduction of 
such constraints is a critical design issue as it may be hard to specify 
contracts that allow each party to be able to progress without violating 
the contract. We propose three algorithms to correct inconsistent global 
assertions. The methods are compared by discussing their applicability 
and the relationships between the amended global assertions and the 
original (inconsistent) ones. Also, we specify a methodology that ex- 
ploits our algorithms to help designers to amend their choreographies. 
To show how the methodology can be applied we consider a simple 
scenario. 
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1 Introduction 


The coordination of distributed activities is not an easy task and it has to 
be tackled at different levels of abstraction. In particular, the distributed 
coordination of distributed applications has recently received considerable 
attention. The main approaches in this context are orchestrations and 
choreographies; in this paper we focus on the latter. 

Choreographies are high-level models that describe the conversations 
among distributed parties from a global perspective. The techniques used to 
represent choreographies span from informal approaches (like UML’s sequence 
diagrams) to formal ones (like e.g., Message State Charts) [1, 10, 12]. Among 
the latter family of models, global types [8] and global assertions [3] provide 
an effective approach for the design of choreographies (as e.g., in [6]) by 
allowing static checking of a number of properties such as progress and 
session fidelity. 

Intuitively, global types establish the interaction pattern for the har- 
monious coordination of distributed parties while global assertions combine 
global types with logic to feature design-by-contract [11]. For instance, 
consider a choreography where two distributed participants, say Alice and 
Bob have a “request-reply” interaction; a global type for such choreography 


could be 
Alice > Bob: a(String). 


Bob — Alice: b(Bool) 


where the first interaction is a request from Alice to Bob with a message of 
type String on a communication channel a, and the latter interaction is the 
reply of Bob to Alice on b with a message of type Bool. 

Global assertions decorate global types with logical formulae (predicates) 
that constrain interactions, declaring senders’ obligations and receivers’ 
requirements on the values of the exchanged data and on the choice of the 
branches to follow. This adds fine-grained constraints to the specification of 
the interaction structure. Consider for instance the global assertion below, 
where the values of the messages are represented by the interaction variables 
x and y (the communication channels and the types of the exchanged data 
are immaterial, hence omitted) 


Alice + Bob: {x | x > 0}. 
Bob — Carol: {y | y>z} 


ad 


(1.1) describes a protocol with three participants, Alice, Bob, and Carol, 
who agree on a “contract” constraining the interaction variables x and y. 
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The contract stipulates that (7) Alice has to send Bob a positive value x in 
the first interaction, and that (2i) Bob is obliged to send Carol a value y 
strictly greater than x, fixed by Alice in the first interaction. Notice that 
Bob can fulfill his pledge (i.e., the predicate y > x in the second interaction 
above) only after he has received the value x from Alice. 


Once designed, a global assertion G is projected on endpoint assertions 
that are local types — modelling the behaviour of a specific participant — 
constrained according to the predicates of G. For instance, the projection on 
Alice in the example (1.1) above is an endpoint assertion prescribing that 
Alice has to send a positive value to Bob. Endpoint assertions can be used 
for static validation of the actual processes implementing one or more roles 
in a choreography represented by G, and/or to synthesise monitor processes 
for run-time checking/enforcement [7]. 


The methodology described above can be applied only when global 
assertions are well-asserted [3], namely when global assertions obey two 
precise design principles: history-sensitivity (HS for short) and temporal 
satisfiability (TS for short). Informally, HS demands that a party having 
an obligation on a predicate has enough information for choosing a set of 
values that guarantees it. Instead, TS requires that the values sent in each 
interaction do not make predicates of future interactions unsatisfiable. 


The main motivation of our interest in HS and TS is that, in global 
assertions, they are the technical counterparts of the fundamental coordina- 
tion issue that could be summarized in the slogan “who does what and when 
does (s)he do it”. In fact, HS pertains to when variables are constrained and 
who constrains them, while TS pertains to which values variables take. The 
contracts specified in global assertions are, on the one hand, “global” as they 
pertain to the whole choreography while, on the other hand, they are also 
“local” in (at least) two aspects. The first is that they assign responsibilities 
to participants (who) at definite moments of the computation (when). The 
second aspect is that the values assigned to variables are critical because 
either one could over-constrain variables fixed in the past or over-restrict the 
range of those assigned in the future (which). These conditions (especially 
TS) are rather crucial as global assertions that violate them may be infeasible 
or fallacious. For instance, if the predicate for Bob in the second interaction 
in (1.1) were 3 > y > x then Bob could not fulfill his contract if Alice 
had fixed the value 2 for x in the first interaction. Remarkably, a global 
assertion not satisfying TS may lead to conversations in which progress is not 
guaranteed unless one of the participants deliberately violates the contract. 
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Guaranteeing HS and TS is often non-trivial, and this burden is on 
the software architect; using tools like the ones described in [9], one only 
highlights the problems but does not help to fix them. HS and TS are global 
semantic properties that may be hard to achieve. Namely, TS requires to 
trace back for “under-constrained” interactions (i.e., which allow values 
causing future predicates to be unsatisfiable) and re-distribute there the 
unsatisfiable constraints. 


Contributions We show a few techniques that help software architects 
to amend global assertions during the design of distributed choreographies. 
Our results include: two algorithms to solve HS problems, one algorithm 
to solve TS problems, and a methodology for applying the algorithms to 
protocol design. We show that the algorithms satisfy the following properties: 
structure preservation, i.e., they do not modify the underlying type structure 
(Proposition 2 and Proposition 4), properties preservation, i.e., they do not 
introduce new violations (Proposition 5), and correctness, i.e., if applicable 
they correct all the problems (Theorems 1 and 2). 

This article is the full version of the extended abstract published in [4]. 
We include here extended definitions and explanations, as well as proofs 
for our key results, and sketches of proofs for trivial ones. In addition, we 
discuss the practical applications of the methodology in a case study. 


Structure of the paper The preliminary notions used in the rest of the 
paper are given in § 2. In § 3 we give two algorithms to fix HS violations; 
the first algorithm strengthens a predicate while the second one is based on 
variable propagation. In § 4 we give an algorithm which, if possible, moves 
the occurrence of predicates earlier in the global assertion in order to remove 
TS violations. § 5 outlines a methodology based on the three algorithms. § 6 
illustrates the methodology via an example. Conclusions and future work 
are discussed in § 7. 


2 Preliminaries 


Let P (ranged over by p,q,s,r,...) and V (ranged over by u,v,2,y,...) be 
two countably infinite sets of identifiers. We assume P™V = © and call 
their elements participants and interaction variables, respectively. Hereafter, 
~ represents a list of some elements (for instance, v is a list of interaction 
variables). The concatenation of # and ¥ is denoted by the juxtaposition # 7; 
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abusing notation, we identify a one-element list with its (unique) element and 
identify lists with the underlying sets of their elements (e.g., a € # indicates 
that a occurs in the list 7). As in [3], we parameterise our constructions 
by abstracting away from the logical language V adopted. Here, it suffices 
to assume that WV is a decidable fragment of a first-order logic obtained by 
adding first-order quantification to a language of boolean expressions. In 
fact, we allow expressions (ranged over by e) that include constructors and 
operators/relations of common data types (e.g., strings, integers, booleans, 
etc.) and include variables drawn from Y. (For simplicity, our examples 
use basic numeric types or strings.) We write var(e) to denote the set of 
variables occurring in e and use the symbol > to denote logic implication. 
Then a predicate 7 € W is either a boolean expression e (understood to be a 
boolean expression in our language of expressions), or a quantified predicate 
Vu.e or JUv.e. Given a predicate w in WV, var(w) is the set of free interaction 
variables of 7 (we write 7(v) to emphasise that var(w) C v). 

The main ingredients of global assertions are interactions, abbreviated 
L, like 


sor:{v| ¢} (2.1) 


where s,r € P are the sender and the receiver, U C V is a pairwise distinct 
list of variables, and w € WV. We say that the variables @ in (2.1) are 
introduced by s. The interaction (2.1) reads as “s has to send to r some 
values for v that satisfy w” or as “r relies that the values fixed by s for v 
satisfy ~”. For instance,? 


sor:{uw | Juv=uxw} 


states that s has the obligation to send r two values such that the first is a 
multiple of the second. Given v as in (2.1), we define 


def 


snd(t) =, rcv(t) < 


Sr, var(t) = v, and ést(L) =p 
Remark 1. In [3], interactions specify a channel over which participants 
communicate. In (2.1) and in the rest of the paper we omit channels since 
they are inconsequential to our results. In fact, the algorithms we present do 
not use identities of channels but only those of participants and variables. 


3For simplicity, we assume the typing of variables understood. 
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Global assertions are ranged over by G and have the following syntax: 


Gos= LG Prefix 
| sr: (tu Gj I Branching 
| pt (e){e | V}.G Recursive definition 
|  t(é) Recursive call 
| end End session 


where ~,w; € VW and 1; ranges over a set of labels. 

The syntax above is essentially borrowed from [3] but for a slightly 
simplified notation. In [3], the semantics of global assertions is given in 
terms of endpoint assertions (by projecting global assertions to endpoint 
assertions and exploiting the operational semantics of the latter). For the 
sake of this paper, only the syntactic aspects of global assertions given below 
are relevant; therefore, we give an informal account of the semantics of global 
assertions. 

The prefix production v.G defines a global assertion where the interaction 
4 must precede the interactions in G. The branching production allows the 
selector s to choose one of the labels J; (with j in a finite index set J) and 
send it to r, then the interactions in G; occur. Recursion is dealt with as 
usual but for the presence of an initialisation vector é (of the same length 
as v) which specifies the initial values of each formal parameter in 0 and 
onto which a recursion invariant w is specified. Finally, the last production 
represents a completed global assertion; trailing occurrences of end are often 
omitted. 

In a recursive definition yt (é){v | w}.G, occurrences of t (i.e., recursive 
calls) in G must be prefix-guarded and the length of € is the same as @; also, 
we assume that variables t are always in the scope of a recursive definition 
t=! | 

We denote with var(G) the set of interaction variables and recursion 
parameters in G. The interaction variables var(v) of global assertion v.G are 
bound in G and in cst(v); similarly, the formal parameters @ in a recursive 
definition  t (_){@ | W}.G are bound in w and in the recursion body G. We 
consider closed global assertions (i.e. for any occurrence of v € V in G either 
the occurrence is in a recursive definition having v as formal parameter 
or there is an interaction . in G such that v € var(c) that precedes that 
occurrence of v). 
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Remark 2. For simplicity, we assume that bound variables are pairwise 
distinct. 


Definition 1 (Knows). Under the syntactic restrictions listed above, we 
say that a participant p knows a variable v € var(G) if one of the following 
conditions holds: 


e there ist inG such that v € var(t) and p € {snd(v), rcv(e)} or 


e there is a recursive definition  t (e4 e 63) {vj v v2 | W}.G! inG such 
that p knows all the variables in var(e) and, for each recursive invoca- 
tion t(e) e! e4) in G’, p knows all the variables in var(e’). 


We denote with knows,(G) the set of variables in var(G) that p knows. 
Example 1. Consider the following global assertion 


Geet = I-Server: {x | x> 3}. 
ut (3){r | true}.Server — Player : 
{r > x} less: Player — Server: {y | true}.t(y), 
{r < x} greater: Player > Server: {z | true}.t(z), 
{r =x} win: end 


where I initialises a value x > 3 for Server. Then, repeatedly, Server 
sends a label chosen in the set {less, greater, win} to Player depending of r 
being greater, smaller, or equal to the value of x; and Player replies with 
an integer in the first two cases while the interaction ends if win was sent by 
Server. In Gey, both I and Server know x while Player does not know it; 
instead the recursion parameter r is known only to Server and Player. 


It is convenient to treat global assertions as trees whose nodes are drawn 
from a set NV (ranged over by n,n’,...) and labelled with information on the 
syntactic categories of the syntax of global assertions. Hereafter, we write 
n € T if nis a node of a tree T, n to denote the label of n, and T° for the 
root of T. 


Definition 2 (Assertion Tree). The assertion tree T(G) of a global assertion 
G is defined as follows: 


e IfG=.uG' then T(G)® has label v and its unique child is T(G’). 


68 L. Bocchi, J. Lange, E. Tuosto 


elfG=s7r: (tuys : Gi} _, then T(G)° has label s + x and its 


children are {nj}je7 CN such that, for each j € J, ng = {Wj fl) and 
T(G;) is the unique child of nj;. 


e fG=pmt (e\{t | v}.G’ then T(G)® has label wt (e){v | w} and its 
unique child is T(G’). 


e IfG =t(é) then T(G) consists of one node with label t(é). 
e IfG =end then T(G) consists of one node with label end. 
We denote the set of assertion trees as T and let T,T’,... range over T. 


Example 2. The assertion tree for the global assertion of Example 1 can 


be depicted as: 


I — Server: {x | x > 3} 
ut (3){r | true} 


Server — Player: 


{r > x} less {r < x} greater {r = x} win 


Player —> Server: {y | true} Player — Server: {z | true} end 


t(y) t(z) 
where identities of nodes are not shown and only their labels appear. 
For convenience, given T’ € 7, we will use the partial functions 
varp :N 2”, cstp :N > W, and sndr,rcup : N > P 
that are undefined* on N \ {n | n € T} and defined as follows otherwise: 
YU, in = tand tst(t) =a 
cstp(n) = ¢ wy, ifn = {y}l 


var(t), ifn=e 


vary (n) = { ; 


otherwise 
true, otherwise 
ee snd(v), ifn=e eine FOUL). A= st 
Ss, ifn=s7 Lr Yr, ifnm=s7r 


‘We write f(a) = | when the function f is undefined on z. 
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Moreover, we shall use the following functions: 


e parent;(n) returning ¢ ifn = T°, the parent of n in T ifn € T, and 
L otherwise. 


e ntr returning the path from T® to n (including n) if n € T, and L 
otherwise. 


Given T € T, let A(T’) be the global assertion obtained by appending 
the labels of the nodes in (depth-first) preorder traversal visit of T’. 


Fact 1. A(T(G)) =G 
Fact 1 allows us to extend knows, (_) to T by knows,(T) = knows, (A(T)). 
Fact 2. [fT € 7 then T(A(T)) =T 


Facts 1 and 2 basically induce an isomorphism between global assertions 
and their parsing trees. 


3 Towards a Better Past 


In a distributed choreography, parties have to make local choices on the 
communicated values; such choices impact on the graceful coordination of 
the distributed parties. It is therefore crucial that the responsible party has 
“enough information” to commit to an “appropriate” local choice, at each 
point of the choreography. For global assertions, this distills into history 
sensitivity (HS), a property defined in [3] as follows: 


A predicate guaranteed by a participant p can only contain those 
interaction variables that p knows. 


HS demands the sender/selector of each interaction in a given assertion to 
know all the variables involved in the predicate associated to that interaction. 
We illustrate HS with the following example. 


Example 3. The global assertion Gea3 below violates HS. 
Geog = Alice > Bob: {v1 | v1 > O}. 
Bob + Carol: {v2 | v2 > 0}. 


Carol — Alice: {v3 | v3 > vi} 


In fact, Carol’s obligation v3 > v1 cannot be fulfilled because v; ¢ knowScaro1(Ges3)- 
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Given a global assertion G, the function HS(G) below returns the nodes 
of T(G) where HS is violated 


def 


HS(G) = {n € T(G) | var(cstr(n)) Z knows,(ntr) and s = respyg)(n) } 


where resp,;(_) : V — P yields the responsible party of a node and is defined 
as 


sndr(n), rie eee 
resp;(n) = sndp(parentp(n)), ifn = {whl 
‘Lh. otherwise 


Intuitively, to determine whether a node n € T(G) violates HS, one checks if 
the responsible party of n knows all the variables involved in cstyg)(n). 
Given T € T, varHSz(_) : NV —> 2” is defined as 


varH$y(n) = var(cstp(n)) \ knows,(ntr) where s = resp,;(n) 


Namely, varHS;(n) yields the variables of n not known to the responsible 
party of n. It is a simple observation that if HS is violated at a node n, 
then there exists a variable in the predicate of n which is not known to the 
responsible party of n (namely if n € HS(G) then varHS;(n) 4 @). 


Example 4. Consider the following global assertion: 


Gest = pot (10) {v | uU> O}. 
Alice > Bob: {v, | vu > vj}. 
Bob — Carol: {ve | vg > ui}. 
Carol > Alice: {v3 | v3 > ui}. 
Carol + Bob: {vg | v4 > v}. 
t(v1) 


HS(Gea) = {n3,n4} where ng and nq are the nodes in T(Geas) corresponding 
to the third and fourth interactions of Geos, i.e. n3 = Carol > Alice: {v3 | 
v3 > vy} and ng = Carol — Bob: {vq | v4 > v}. 


In Example 4, Carol is responsible for both violations (i.e., resPrg.,.4) (ng) = 
respyg,,,)(m4) = Carol). The violation in ng is on varHS7.,,)(n3) = {vi} 
(i.e., Carol has to choose v3 so that v3 > v; without knowing v,) and the 
violation in n4 is on varHSyig,,.)(n4) = {v} (ie., Carol has to choose v4 so 
that v4 > v without knowing v). Note that the violation of HS above does 
not imply that Carol will actually violate the condition v3 > v,;. In fact, 
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Carol could unknowingly choose either a violating or a non violating value 
for v3. 

In § 3.1 and § 3.2, we present two algorithms that fix, when possible, 
violations of HS in a global assertion. We discuss and compare their applica- 
bility, as well as the relationship between the amended global assertion and 
the original one. We shall use Example 4 as the running example of § 3.1 
and § 3.2. 


3.1 Strengthening 


Throughout this section we fix a global assertion G and its assertion tree 
T = T(G) and assume HS is violated at n € T with cstr(n) = w and 
resp;(n) =s. 

Violations occur when the responsible party s of n ignores at least one 
variable v € var(y). The strengthening algorithm (cf. Definition 4) replaces 
w in G with a predicate 7[v’/v] so that 


(1) v’ is a variable that s knows, 


(2) if w[v’/v] and the predicates occurring from T® to parent;(n) are 
satisfied then also w is satisfied. 


Intuitively, the method above strengthens ~ by replacing it with w[v’/v] 
so that: due to (1) the presence of variable v, which is unknown to the 
sender/selector, is removed, and due to (2) ¢ can still be guaranteed. In fact, 
relying on the information provided by all the predicates occurring before 
n, if the sender/selector guarantees [v/v] then (s)he also guarantees w. If 
there is no variable v’ that ensures (1) and (2) then we say that strengthening 
is not applicable. 

Let PRED; : V — W yield the conjunction of the predicates on the path 
from T°® to the parent of a node: 


ce if parentp(n) = L 
PRED7(n) = ¢ true, if parent(n) = € 
cstp(parent;(n)) A PREDr(parent;(n)), otherwise 


The function strengthen(G) uses PRED? to compute a global assertion 
G’ by replacing in G, if possible, the assertion violating HS by a stronger 
predicate. 
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Definition 3 (strengthen). Jf HS(G) = @ then strengthen(G) returns G. 
Ifn € HS(G), v € varHSr(n) and there exists v' € knowss(nftr) such that 


PREDr(n) Aw[v'/v] Dw with =w =cstr(n) (3.1) 


then strengthen(G) returns A(T’) where T’ is obtained from T by replacing 
w with w[v'/v] inn. 

When Condition 3.1 does not hold for any v € knowss(n}r), strengthen(G) 
returns G4, indicating that G violates HS at n € HS(G). 


The algorithm © in Definition 4 recursively applies strengthen(_) until 
either the global assertion satisfies HS or © is not applicable anymore. 


Definition 4 (). The algorithm & is defined as follows 


5g) def Henne, if strengthen(G) € {G, Gn} 
bi(strengthen(G)), otherwise 

Example 5. Consider Geos, from Example 4 and recall that HS(Geu) = 

{n3,n4}. Strengthening is applicable to ng since by substituting v1 with ve 

in v3 > v1 (with v2 € knowsgaro1(N3tr(G,,4))) we have that condition (3.1) in 

Definition 8 holds: 


(v>OAv> v1 A v2 > 01) A (v3 > v2) D (vg > V1) 


The invocation of strengthen(Gera) returns (by substituting v1 with v2): 


G = wt (10){v | v >}. 
Alice > Bob: {vw | v>v;}. 
Bob + Carol: {v2 | v2 > vy}. 
Carol > Alice: {v3 | v3 > vo}. 
Carol —> Bob: {v4 | v4 > v}. 
t(v1) 


The invocation of strengthen(G’) returns Gn, since G’ has still one violating 
node n4 for which strengthening is not applicable. In fact, knowscaro1(Nat rg’) 
) = {ve2, v3} and: 


e by substituting v with v2, condition (3.1) in Definition 3 does not hold 
since (v >OAv> v1 A v2 > 1 A v3 > U2) A (v4 > V2) BD (va > v) 


e by substituting v with v3, condition (3.1) in Definition 3 does not hold 
since (v >OAv> v1 Avg > v1 A U3 > v2) A (v4 > 03) D (va > v). 
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3.2 Variable Propagation 


An alternative approach to solve HS problems is based on the modification 
of global assertions by letting responsible parties of the violating nodes 
know the variables causing the violation. The idea is that such variables are 
propagated within a “chain of interactions”. 


Definition 5 (<r). Let n,n’ € T, n <7 n’ iff n appears in n' tr and 
rev¢(n) = sndr(n’'). A vector of nodes ny,...,n¢ 1s a chain in T (or a 
<r7-chain) iff rn <r niz1 for alli € {1,...,t—1}. 


The relation <,; is similar to the IO-dependency defined in [8] but 
does not consider branching, since a branching does not carry interaction 
variables. 

Given a chain 7 = n1---nz in T, let the propagation in 7 of v9 € 
varz(nzt) be the tree T’ € T obtained by updating the nodes in T as follows: 


e fori=1,...,t-—1, varg (ni) = varr(ni) vj and cstp: (ni) = cst (ni) A 
(v; = v;-1), with v1,...,v4-1 € V fresh and pairwise distinct 


e csty (nz) = cstr(nz)[ve-1/V0] (note that t > 1) 
e all the other nodes of T remain unchanged. 


For a sequence of nodes 71, Pr(vo, 7) denotes T’ as computed above if 7 is a 
<,-chain and | otherwise. 


Example 6. In the global assertion Gexg below assume Alice knows v from 
previous interactions (the ellipsis in Gerg ). 


Geos = «... Alice + Bob: {ur | Wi}. 
Bob — Carol: {ug | Wo}. 
Bob — Dave: {u3 | ws}. 
Dave — Alice: {u, | us >v} 


For the chain 7 = ni n3 na in T(Geas) (where ni corresponds to the i-th 
interaction in Gexs), Pr(g.gg)(U, 7%) returns T’ such that A(T") is 


Geng = +... Alice > Bob: {ui vu | YiAv=vy;}. 
Bob + Carol: {ug | Wo}. 
Bob — Dave: {uz v2 | W3 A v1 = v2}. 
Dave — Alice: {ug | us > v2} 
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Hereafter, we fix a global assertion G; let T = T(G), n € HS(G), v € 
varHS7(n), and s = resp,(n). The propagation algorithm (cf. Definition 7) 
is applicable only if there exists a <;-chain in ntr through which v can be 
propagated from a node whose sender knows v and has s as receiver down 
to n. 

We define a function propagate which takes a global assertion G and 
returns G itself if HS is satisfied, Gj, if HS is violated at n € T(G) and 
propagation is not applicable, it returns G’ otherwise, where G’ is obtained 
by propagating a violating variable v of node n. In the latter case, observe 
that v has necessarily been introduced in a node n’ € ntq(g) from which v 
can be propagated, since we assume G closed. 


Definition 6 (propagate). The function propagate(G) returns 
e G, if HS(G) = © 


e Pr(v, 7), if T =T(G) and there exists n € HS(G), v € varHSz(n), and 
n= no nn chain in T such that sndp(ng) knows v 


e Gy, with n € HS(G) otherwise. 


Example 7. Consider again the global assertion G’ obtained after the in- 
vocation strengthen(Ger) in Example 5. In this case HS(G’) = {n4} with 
n4 = Carol > Bob: {v4 | v4 > v}. Propagation is applicable to nq and 
propagate(G’) returns 
Gv = pt (10){v | v > 0}. 

Alice > Bob: {v, | v>v;}. 

Bob > Carol: {v2 uz | vg > vp Au, = v}. 

Carol > Alice: {v3 | v3 > vo}. 

Carol — Bob: {v4 | v4 > ur}. 

t(v1) 


by propagating v from the second interaction where the sender Bob knows v 
to Carol, G” satisfies HS. The predicate of the last interaction derives from 
the substitution (v4 > v)[u1/v]. 


The propagation algorithm is defined below and is based on a repeated 
application of propagate(_). 


Definition 7 (II). Given a global assertion G, the function II is defined as 
follows: 


mg) = { Propagate(G), if propagate(G) € {9, Gin} 
- | I(propagate(G)), otherwise 
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3.3. Properties of © and II 


We now discuss the properties of the global assertions amended by each 
algorithm and we compare them. Hereafter, we say © (resp. II) returns G if 
either it returns G or it returns G4, for some n. 

The applicability of i depends on whether it is possible to find a 
variable known by the responsible party of the violating node such that 
condition (3.1) in Definition 3 is satisfied. The applicability of II depends 
on whether there exists a chain through which the problematic variable can 
be propagated. Observe also that there are cases in which » is applicable 
and II is not, and vice versa. Moreover, 4(G) ¢ II(G) in general, hence it 
may not always be clear which one should be preferred. 


Remark 3. Linearity of the underlying multiparty session types [8] guaran- 
tees the existence of a dependency chain between the interactions. However, 
linearity does not guarantee that II is always applicable. The reason is that 
ny ~< ng in the sense of [8] does not imply ny <7 ng since <7 does not take 
into account branching but only interactions. 


Remark 4. In distributed applications it is often necessary to guarantee 
that exchanged information is accessible only to intended participants. It is 
worth observing that II discloses information about the propagated variable 
to the participants involved in the propagation chain. The architect should 
therefore evaluate when it is appropriate to use II. 

One could think of an extension of propagate(G) which propagates 
variables only to participants entitled to know them. The existence of a 
propagation chain vi for a variable v may be parameterised by two sets of 
participants chosen by the architect: a set A containing the participants who 
are allowed to know the value of v and a set N of participants not allowed 
to know it. Let T = T(G), and vo a variable causing an HS problem in G, an 
acceptable chain 7 is defined as in § 8.2 and such that 


e for alln € 7m, revr(n) ¢€ N, and 


e there is no other chain 7 with Pp(vo,7’) A L such that |P(i)| < 
|P(7’)|, where 


P(t) = {r| there exist n € % such that r = rcvr(n) € A} 


Note that even though this additional condition provides a more fine- 
grained control on the way problems are solved, it also decreases the appli- 
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cability range of the algorithm since the existence of such a chain is not 
guaranteed. 


We now show that the weakening and propagation algorithms terminate. 


Lemma 1. Let G be a global assertion; strengthen(G) (resp. propagate(G) } 
always returns G’ such that T(G’) is isomorphic to T(G), namely it has the 
same tree structure (but possibly different labels). 


Proof: By Definition 3 strengthen(G) always returns either G (which 
includes the case for G4,) or G’. T(G’) is isomorphic to T(G) as the two trees 
either are the same or only differ in the label of one node. By Definition 6 
propagate(G) always returns either G (which includes the case for G4) 
or G’ = Prg)(vo,%) for some chain 7 and variable vp. By definition of 
Px(g)(vo, 7%), T(G’) only differs from T(G) in the labels of the nodes in 7, 
hence Pyg)(vo, 7) is isomorphic to T(G). 

Next we show that both © and II do not change the structure of the 
given global assertion. 


Proposition 1. Let G be a global assertion. If it terminates, &(G) (resp. 
Il(G)) returns G’ such that T(G’) is isomorphic to T(G). 


Proof: We proceed by induction on the number of recursive invoca- 
tions of ©. We omit the proof for II since it is similar. In the base 
case L(G) = strengthen(G) (first case of Definition 4); by Lemma 1) 
strengthen(G) always returns G’ such that T(G) is isomorphic to T(GQ’), 
hence 4(G) returns G’ such that T(G) is isomorphic to T(G’) as required. 
In the inductive case 4(G) = N(strengthen(G)) (second case of Defini- 
tion 4); by inductive hypothesis if U(strengthen(G)) returns G’ then T(G’) 
is isomorphic to T(strengthen(G)), and by Lemma 1 T(strengthen(G)) is 
isomorphic to T(G); the thesis follows by transitivity of isomorphism. 


We next show that © and II terminate as a corollary of Lemma 2. 


Lemma 2. Let G be a global assertion, T = T(G), and k be the number 
of HS violations in T.° Let ky, ko be the number of HS violations in 
T, = T(strengthen(G)) and Tz = T(propagate(G)), respectively; then either 
T; =T orki =k—-1 withi e€ {1,2}. 


5 . . . . 
°’More than one violation may occur in one node if the sender does not know several 
variables. 
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Proof: By Proposition 1, T and T; are isomorphic. Let n1 € T) be the node 
corresponding to n € T. By definition of HS the violation in a node n’ € T; 
is defined only in terms of the nodes in n’/7,. By definition of strengthen(_) 
the only node from which T differs from T; is n1. Hence, if a violation is added 
in TJ) with respect to T it must be in the subtree of T; rooted at n,. However, 
a violation is not added in n, itself since the variable chosen to replace the 
problematic one is selected so that the responsible party knows it. No 
violation can be added in the subtree rooted at n’ since strengthen(_) does 
not modify the variables known by the participants (but only the predicates). 
Thus, either T; = T or kj = k —1. In the case Ty = T(propagate(G)), 
assume ? € HS(T) with =s— or: {% | o}, v © varHSr(A), and there 
exists an <,-chain no 7 with no = so > ro: {yo | Wo} such that so 
knows v. We proceed by case analysis showing that, in any node n € T’,, such 
that n #7, no violation is introduced, and exactly one violation is removed 
from 7”. 


e ifm = no no violation is introduced since ny becomes so > ro: {¥ vo | 
Wo A vo = v} in T2 where, by Definition 6, so knows v. 


e if nj € 7% by definition of propagation nj = sy > ri: {yi | Yi} 
becomes si > ri: {Yj vu; | Wi AVi-1 = U;} in To where, by Definition 5, 
ri-1 = s;. It follows that s; has previously received vj~1 hence he/she 
knows it. 


e ifn =n, following Definition 5, cstp,(r) = ¢[vo/v] and the problem 
on v at 2 has been solved since s knows vg, and v does not appear in 
o@ anymore, hence kg =k —- 1. 


e if nm does not belong to the <7-chain no 7 1 then n remains unchanged 
and no violation is introduced. Note that if n is in the subtree of rooted 
at 7, no violation is introduced since propagation does not decrease 
the knowledge of any participant. 


Corollary 1. Let G be a global assertion; §(G) and Il(G) terminate. 


Whereas % does not change the global type underlying the global 
assertion, IT does. Indeed, in the resulting global assertion, more variables 
are exchanged in each interaction involved in the propagation. However, the 
structure of the tree remains the same. 
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Let erase(G) be the function that returns the underlying global type [8] 
corresponding to G (i.e. a global assertion without predicates). 


Definition 8. Given a global assertion G, erase(G) is defined inductively 


as: 
s—r:.erase(G’) fG=srr:{v | v}.o’ 
ee sor: ( : erase(G;)) ffGs=sr: (tush :G; ley 
yt .erase(G’) #FG=pt (e{o | v}g' 
G ifG =end orG=t 


Lemma 3. Let G and G’ be two assertions that differ only in the predicates 
annotating interactions and branchings. Then erase(G) = erase(Q’). 


Proof: The proof is by structural induction on G. 

End session. If G = end and G’ = end the thesis follows from the fact that 
erase(G) = erase(G’) = end. 

Recursive call. If G = t(e) and G’ = t(e) the thesis follows from the fact 
that erase(G) = erase(G’) = t. 

Interaction (prefix). Let G=s—r:{0 | w}.Go and G’=s—r: {d | 
w'}.Gi for some 7’ and Gj. By Definition 8, erase(G) = s > r: .erase(Go) 
and erase(G’) = s > r: .erase(Gj), hence 


erase(G) = erase(G’) (3.2) 


The thesis follows from (3.2) and from the fact that by inductive hypothesis 
erase(Go) = erase(G)) holds. 


Branching. LetG=s—r: (tu Gj J_,pnd Gr=s—>r: (tui G5 I 
for some 7, and G;. By Definition 8, erase(G) =s > 1: (, : erase(G;) } 


EJ 
and erase(G’) = s > r: | 1; : erase(G’. hence (3.2) holds also in 
Z WV hed 


this case. The thesis follows from (3.2) and by the fact that by inductive 
hypothesis erase(G;) = erase(@/) for all j € J. 

Recursive definition. Let G = wt (e){v | w}.GoandG’ = wt (e){v | w}.G 
for some Gj. By Definition 8, erase(G) = ju t .erase(Go) and erase(G’) = 
ut .erase(Gj), hence (3.2) holds also in this case. The thesis follows 
from (3.2) and by the fact that by inductive hypothesis erase(Go) = 
erase(Gj). 
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Lemma 4. Let G be a global assertion and T = T(G). Given a chain 
nm=n,...,m- inT, if Pr(vo,n) =G' for an interaction variable vp, then 
for alln € T(G) and its corresponding node n' € T(G’), 


varsg)(n) © varggr(n’) 


Proof: Observe that, by Proposition 1, T is isomorphic to T’. Let 
m=n,...,m%,n€T,n' €T’, and n’ be the corresponding node of n in 
T’. We proceed by case analysis on the (labels of the) nodes of T, which we 
divide in three groups following the definition of P7(vo, 7): 


e ifn =n, with2 € {1,...,t—1} then varq/(n) = varr(n’) vj. 
e ifn =m then varg(n) = varr(n’). 


e ifn ¢7 then n’ has the same label as n since by definition of Pr(vo, 7) 
all nodes not in 7% are unchanged. 


In all cases the above thesis holds. 


Proposition 2 (Underlying Type Structure). Let G be a global assertion, 
e if U(G) returns G’ then erase(G) = erase(G’) 


e if II(G) returns G’ then for all n € T(G) and its corresponding node 
n' €T(G’), 
varrg)(n) © varggr(n’) 


Proof: As to %, we first observe that strengthen(G) either returns 
G or a G’ that differs from G only in the predicate of one (interaction or 
branching) node. By Lemma 3: 


erase(G) = erase(strengthen(G)) (3.3) 


We proceed by induction on the number of applications of X. In the base case, 
y returns strengthen(G) and the thesis follows immediately from (3.3). In 
the inductive case we have to prove that erase(X(G)) is equal to erase(G). 
By definition of ©, in the inductive case U(G) = U(strengthen(G)). By 
inductive hypothesis erase(i(strengthen(G)) = erase(strengthen(G)). 
Finally, by (3.3) erase(strengthen(G)) = erase(G), which yields the thesis. 

As to II, we first observe that if propagate(G) = G’ then for all n € T(G) 
and its corresponding node n’ € T(G’), 


varqg)(n) © varqgr(n’) (3.4) 
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In fact, propagate(G) either returns G’ = G or G’ = Pqg)(v9, 7). In the 
former case (3.4) holds trivially, in the latter case it holds by Lemma 4. 
To prove the thesis for II we now proceed by induction on the number of 
applications of II. In the base case, II returns propagate(G) and the 
thesis follows immediately from (3.4). In the inductive case we have 
to prove that erase(II(G)) is equal to erase(G). By definition of II, 
in the inductive case II(G) = II(propagate(G)). By inductive hypoth- 
esis erase(II(propagate(G)) = erase(propagate(G)). Finally, by (3.4) 
erase(propagate(G)) = erase(G), which yields the thesis. 

The application of © and II affects the predicates of the original global 
assertion. In 1, strengthening allows less values for the interaction variables 
of the amended interaction. Conversely, the predicates computed by II 
are equivalent to the original ones (i.e., they allow sender and receiver to 
choose/expect the same set of values). Nevertheless, such predicates are 
syntactically different as II adds the equality predicates on the propagated 
variables. 


Proposition 3 (Assertion Predicates). Let G be a global assertion, 


1. if X(G) returns G’ then for alln € T(G) whose label is modified by &, 
and its corresponding node n’ € T(G’) (cf. Proposition 2), it holds that 
PRED7(g1)(n") A estq(gy(n") D estq(gy(n) 


2. if IG) returns G’ then for alln € T(G) whose label is modified by I, 
and its corresponding node n' € T(G’) 


(a) esty(gr)(n') is the predicate cstq(g)(n)o A 
(b) PRED7(g)(n) A csty(g)(n) Aw => PRED (gr (n’) A estq(gr(n’) 


For some satisfiable ~ € V and variable substitution o. 


Proof: The proof of 1 relies on the fact that © either does not change G or 
replaces a problematic variable by a variable for which (3.1) holds. We show 
the result by showing that it holds for each invocation of strengthen(-) 
by &. Indeed, for each invocation we have that, by Definition 3, if n is 
modified by %, then we have that n € HS(T(G)). In addition, there must 
be v € varHSyg)(n) such that there exists vu’ € knowss(nfyg)) and (3.1) is 
satisfied. This gives us 


PRED7(g)(n) A w[v'/v] dD ne 


PRED, (g/)(n’)  Str(gry(n") — estr(gy(m) 
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Since only the predicate of node n is updated by substituting v by v’, 
by Definition 3. 

The proof of 2 relies on Definition 5, i.e. a predicate of the form v1 = vo 
or VU; = UVUj—1 is added to each predicate of the nodes in the chain, and 
problematic variables are replaced by fresh ones. The additional predicates 
are satisfiable since they constrain only fresh variables (i.e. vj). We have 
these results by showing that each invocation of propagate(_) by II validates 
the result. 

Case 2a If n is modified by propagate(_), then n € 7, by Definition 6. 
Assume vo is the variable to be propagated. 


e If n is not the last node of ni, by definition of Pyg)(vo,7), we have 
that cstyg)(n’) = estq(g)(n) A (vi = vi-1), which gives us the expected 
result if w is vu; = v;-1 and a is the empty substitution. 


e If n is the last node of n, by definition of Prig)(vo,7), we have that 
estq(g)(n’) = esty(g)(n)[v¢-1/v0], which gives the expected result with 
o = [vz-1/vo] and w = true. 


Case 2b If n is modified by propagate(_), then n € 7, by Definition 6. 
Assume vo is the variable to be propagated and the length of 7 is k. 


e Ifn is the first node of 71, then estygy(n’) = estyg)(n) A(v1 = vo), and 
PRED7(g’)(n’) = PREDq(g)(n) since n’fygr) is unchanged. We have the 
expected result if ~ is v1 = vo. Note that by definition of Py(g)(vo, 7), 
v1, is a fresh variable therefore v1 = vo is satisfiable. 


e Ifnis the i” node in 7 (1 <i < k) then cstqgy(n’) = estyg)(n)A(vi = 
OA) and 


PRED1(g)(n’) = PREDy(g)(n) A \ vj = 0;-1 
l<j<i 


where each v; = vj—1 is satisfiable since each variable is freshly intro- 
duced. We have the expected result with w as vj; = vj_1. 


e If n is the last node in 7, then cstqg)(n') = estyg)(n)[vg/v0], and 
PRED1(g/)(n’) = PRED(g)(n) A [\ vj = vy-1 
l<j<k 


with each vj = v;_1 satisfiable, as before. Let ~ be true, and we have 
the required result. 
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Proposition 3.2 (b) amounts to saying that cstyg)(n) A ~ is equivalent 
to cstz(g’)(n") when such predicates are taken in their respective contexts. 

Remarkably, © and II do not add violations (of either HS or TS) to the 
amended global assertions. We postpone the discussion of this property to 
§ 4.3 (Proposition 5) after the formal introduction of TS. 

Finally, we prove that if the value returned by © or II is not of the type 
G4, then the amended global assertion satisfies HS. 


Theorem 1 (Correctness). If there is G’ such that ¥(G) =G’ or II(G) =G’ 
then HS(G’) = ©. 


Proof: Case %. By Definitions 3 and 4, © terminates successfully 
when HS(G) = @. We show that at each iteration of ©, the number of HS 
violations decreases. Assume that there is k violations in G, by Definition 4, 
we have either 


e (G) = strengthen(G) = G in which case, by Definition 3, HS(G) = 2, 
i.e. k = 0, and the function terminates, or 


e 4(G) = U(strengthen(G)) = G’ with G £ G’, and by Lemma 2 the 
number of HS violation in strengthen(G) is strictly less than k. 


Case II. The case for I is similar to the previous case, using Definition 6 
(resp. 7) instead of Definition 3 (resp. 4). 

Finally, note that both © and II always terminate since (i) the number 
of violations decreases at each iteration and (ii) we only consider finite 
assertion trees, therefore the number of variables in a tree is also finite. 


4 Back to the Future 


In a distributed choreography, the local choices made by some parties may 
restrict later choices of other parties to the point that no suitable value is 
available. This would lead to an abnormal termination since the choreography 
cannot continue. For global assertions, this distills into temporal satisfiability 
(TS) which requires that the values sent in each interaction do not compromise 
the satisfiability of future interactions. The formal definition of temporal 
satisfiability is adapted from [3]. 
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Definition 9 (TS [3]). A global assertion G satisfies TS (in symbols TS(G)) 
iff GSat(G, true) holds where 


GSat(G',w A cst(t)), if G=2.G' and wy D Avar(e).cst(t) 


[\ GSatlGi,¥ 3), G80: ({oiHy: Gi), and b > \f (3) 


jEeJd jed 


GSat(G, W) iff) GSat(G',w Av"), #F~G=pt (eE){t | P}.G' andy d y'[e/d] 
CSG AV), — Ff G = ty (2) and > V'fe/A 
G = end, otherwise 


For an assertion tree T € T, TS(T) holds iff GSat(A(T), true). 


Intuitively, the predicate ~ in Definition 9 is the conjunction of all 
the predicates that precede an interaction in G. In the first case, all the 
values satisfying ~ allow to instantiate the interaction variables var(v) so 
to satisfy the constraint cst(c) of v. For branching, GSat requires that at 
least one branch can be chosen and that each possible path satisfies GSat. 
For recursive definition, we require that the initial parameters satisfy the 
invariant ~’. We assume that recursive calls are annotated with the invariant 
of the corresponding recursive definition, i.e. in Definition 9, w’(v) is the 
predicate corresponding to the invariant of the definition of t. Often, TS 
problems appear when one tries to restrict the domain of a variable after its 
introduction. To illustrate this, we introduce the following running example. 


Example 8. Consider Gerg below, where p constrains x and y: 
Geag = poq:{x | x < 10}. 
pPoqidy | y>s}. 
qo>p:{z|¢2>zA z>6A yF2} 


When q introduces z, both x and y are further restricted. Gezg violates TS 
because it does not hold that 


Vey. (2 <10)Aw> 8) Da2(ea@>eA 2>6 A yee) 
Noticeably, if p chooses, e.g. x = 6 then q cannot choose a value for z. 


Possibly, TS can be regained by rearranging some predicates. In partic- 
ular, we can “lift” a predicate to a previous interaction node. For instance, 
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in Example 8, one could lift the predicate 4z.2 > z > 6 (adapted from the 
last interaction) to the first interaction’s predicate. 

We first consider TS violations occurring in interactions and recursive 
definitions. Amending violations arising in branching and recursive calls 
is similar but complicates the presentation; for the sake of clarity, such 
violations are considered in § 4.2. 


4.1 Lifting Algorithm 


We formalise the lifting algorithm. First, we give a function telling us 
whether a node n violates TS. 


Definition 10 (TSnode). Given T € T, TSnode7(n) holds iffn € T, and 
TS(Z’) holds where T’ is the assertion tree consisting of the path n}r where 
the children of n (if any) are replaced by nodes with label end. In addition, 
we assume that TSnode holds for nodes with label of the form s > r : (since 
there is no predicate in these nodes, no TS problem can arise). 


We can now define a function that returns a set of nodes violating TS 
such that all the previous nodes in the tree do not violate TS. 


Definition 11 (TS). The function TS: T > N is defined as follows: 


Say ae TSnoder(n) is false, and TSnoder(n’) 
= {n aoe is true for all n’ € parentp(n)tr 


For instance, in Example 8, we have that TS(Texg) is the singleton 
{mexg} where Texg = T(Gexg) and nexg is the node corresponding to the last 
interaction of Gexg. 

Once an interaction node n € TS(T) is chosen, the next step is to 
identify which part of its predicate is the source of the problem. Thus, we 
define a relation among predicates ~ and ¢ in a context ~’ to identify the 
problematic part of a predicate in an interaction node. 


Definition 12 (Conflict). The predicate w € W is in conflict on 0 C V with 
din iff 


WD BW. and W! PIW(dAYV) 


The notion of conflict is based on the definition of TS for interaction 
nodes (Definition 9). On the one hand, there is the part of predicate which 
does not spoil TS (¢), and, on the other hand, the part which in conjunction 
with ¢ invalidates TS (w). 


Three Algorithms and a Methodology for 
Amending Contracts for Choreographies 85 


In Example 8, we have 


Vay.x<10Ay>8D4z.y4#z and Vay.x4 <10Ay>8 DaAz.u>zAz>b6AyF#z 


Using Definition 12 and PRED7(n) (cf. § 3), we define 


at f , |W <=> W'A@ and yw is in conflict on var(n) 
split; (n,y) = {v with # in PRED7(n) } 


which returns a set of problematic predicates. Considering again Example 8, 
the application of split yields splity,, (Nexs,z >6Ar>zAy#z) = 
{z >6A2z > z} since y ¥ z allows to choose a suitable value for z. 


Remark 5. For a treeT € T andn€ TS(T) such that y’ € split; (n,y), 
we may have PRED?(n) Z Av.w"'. For instance, if the predicate w' is not 
satisfiable, e.g., vy =v < T7TAv> 7. In this case the algorithm is not 
applicable. 


Remark 6. Note that at this level, it is not necessary to require y' to be 
minimal in the definition of split (in terms of, e.g. the size of the formula 
or the number of variables in w’). Indeed, as stated later in Definition 14, 
only the predicate which can be lifted successfully are used by the algorithm. 
However, an implementation of the algorithm could minimise the predicate 
in order to maximise the efficiency of the lifting algorithm. 


The next definition formalises the construction of a new assertion tree 
which possibly regains TS, given a node and an assertion to be “lifted” (i.e. 
a “problematic” predicate). 


Definition 13 (build). The function buildy (n,w) returns 


e TET, if we can construct T isomorphic to T except that, each node 
n' € parent;(n)tp such that n' =s >r: {tu | 0} and ténvar(w) 4 2, 
is replaced by a node n with label 


sor:{ui | 0A Visi} such that OAVE.Ai.w is satisfiable 
where 


— #C var(w) \ knowss(T’) are introduced in a node in n'tp 


— ¥ C var(w) are introduced in a node in the subtree rooted at n’ 
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and there is no n" € parent;(n)tr such that n” = pw t (é){v | Yt 
and UN var(w) A ZW. 


e | otherwise. 


Essentially, Definition 13 duplicates a quantified version of the predicate 
w in the nodes which introduce variables in var(w). For each updated node 
n’, the quantification of the variables in var(w) operates in the following 
way. The variables which are introduced before n’ in the tree and which 
are not known to s are quantified universally (since s has no control over 
them). The variables that are introduced later in the tree are quantified 
existentially, so that s may choose values for the variables in u which do not 
compromise the satisfiability of predicates down in the tree. 


Remark 7. In the definition of build, we assume that if either < or ¥ 
is empty, the corresponding unnecessary quantifier is removed. Recall that 
global assertions are closed (cf. § 2). Therefore all the variables in var(w) 
are either quantified in the predicate of h, or have been introduced before n’. 


In Example 8, we would invoke buildr,,. (Nexg,z > 6A x > z) which 
returns a new assertion tree. The new tree can be transformed into a global 
assertion isomorphic to G.xg with line 1 updated to: p> q:{r% | r< 
10 A Az.2 > z > 6}. 

The function TSres : T x N — JU L brings the above definitions 
together in order to either fix a TS problem at n, or return L. 


Definition 14 (TSres). Given T € T andn€TS(T), we define 


buildr(n,w), ifn = and Ay € split, (n, cstr(n)) 
s.t. buildr (n, wy) AL 


build (n,~[é/t]), ifn=pt (fs | y} 


als otherwise 


TSresr(n) = 


The first case of Definition 14 handles TS problems in interaction nodes. 
If there is a predicate w in conflict such that it can be “lifted” by build 
successfully, then the function returns the result of build. The second case 
handles TS violations in recursive definitions. The problem is similar to 
the interaction case, but in this case, the values assigned to the recursion 
parameters are known (i.e., €). It may be possible to lift the recursion 
invariant, where we replace the recursion parameters by the corresponding 
initialisation vector. Example 9 illustrates this case. 
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Example 9. For the global assertion Geag given below, TS(Ger9) does not 
hold because Vx y.true D (x > y > 6). 


Geog = pq: {x | true}. 
wt (8){y | r>y>6}.G' 


However, using the initialisation parameters, we can lift x > 8 > 6, 1.e., the 
original predicate where we replaced y by 8, to the interaction preceding the 
recursion. TS now holds in the new global assertion (assuming that TS(G’) 
holds as well). 


Remark 8. In Example 9, if we had only lifted « > y > 6, as in the 
interaction case, it would not have solved the TS problem. Indeed, the 
predicate of the first interaction would have become dy.x > y > 6 which 
does not exclude values for x which are incompatible with the invariant (e.g., 
£8): 


Even though lifting may be applied when a TS violation is detected in 
a recursion definition, lifting a predicate involving a recursion parameter v 
would require to strengthen the invariant where v is introduced. This is quite 
dangerous, therefore the lifting algorithm does not apply in this case (cf. the 
last line of the first part of Definition 13). In fact, for recursive definition and 
calls, Definition 9 requires ~ D w"[é/e], where w’ is the recursion invariant 
and w is the conjunction of the previous predicates. Hence, lifting a predicate 
involving a recursion parameter may strengthen the invariant, and possibly 
create a new problem in a corresponding recursive call. Moreover, notice that, 
in recursive calls, GSat (Definition 9) requires that w Aw’ D vy [é/v]; namely, 
strenghtening wy’ would automatically strenghten ~’[é/v] and therefore leave 
the TS problem unsolved. 

The overall lifting procedure is given. It relies on a repeated application 
of TSres until either the assertion tree validates TS or the function fails to 
solve the problem. In the latter case, the function returns the most improved 
version of the tree and the node at which it failed. 


Definition 15 (A). A is defined as follows, given a global assertion G. 


G, if TS(G) 
A(G) = 4 A(TSresqg)(n)), if there is n € TS(T(G)) s.t. TSresqg)(n) A L 


Gin, otherwise 
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4.2 Applying A to Branching and Recursion 


Branching. According to Definition 9, TS fails on branching nodes only 
when there are values for which none of the branches’ predicates are satisfiable, 
as in Example 10 below. 

The underlying idea of branching is to enable the architect to design a 
choreography where a branch cannot be taken when some variables have a 
particular value. The architect should be involved in the resolution of the 
problem, because two options are possible; either the disjunction of all the 
predicates found in the branches is lifted, or one of the branches predicate is 
lifted. Arguably, the latter may also prohibit other branches to be chosen, 
as shown in Example 10. 


Example 10. As an illustration, we consider the following assertion: 


Gexlo = QG—>p:{v | true}. 
poq: {u>5}h iG 
{u < 5} lo: Go 


Assuming that TS(G,) and TS(G2) hold, we have that TS(Gex1o) does not 
hold because true D (vu >5Vu <5). It is obvious that if v = 5 no branch 
may be selected. 


Let’s call # the node corresponding to the branching in the second line 
of Gexi9. Depending on the intention of the architect the problem could be 
fixed by one of these invocations to build (where, in both cases, superfluous 
quantifiers are removed). 


e buildrg...9) (%,v > 5 Vv <5) replaces the predicate in the first line 
by trueA (vu >5Vu <5) 


e buildyg..,,) (%,v <5) replaces the predicate in the first line by true A 
(v < 5). 


Both solutions solve the TS problem, however the second one prevents the 
first branch to be ever taken. 

Given an assertion tree T and a branching node® n € T such that 
TS does not hold. One can invoke buildy(n,w) where ~ is either the 
disjunction of all the branching predicates or one of the branches predicate. 
If the function does not return L, then the TS problem is solved. 


®We also assume that TS is not violated in parent(n)tr as in Definition 11. 
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Recursion. The lifting algorithm can easily be extended to solve TS 
problems which occur in a recursive call, if we assume an annotation giving 
the invariant of its corresponding recursive definition (as in Defintion 9). 
In fact, let a TS problem be located at a node n € T such that n = t(é) 
and let the invariant of the definition of t be ~(@), then if the invocation of 
buildr (n, ~[é/v]) succeeds, the problem is solved. 

In order to give a more complex example of the application of A, with 
TS problems in recursive calls, we consider the following example. 


Example 11. Consider the global assertion below 


Geall = Generator — Server: {n | n> O}. 
Player — Server: {x | true}. 


put (x){r | r>O}. 


Server > Player: {r> nb} less: Player — Server: {y | true}.t(y) 
{r <n} greater: Player > Server: {z | true}.t(z) 
{r =n} win: end 


modelling a small game where a Player has to guess an integer n, following 
the hints given by a Server. The number is fixed by a Generator. Each time 
Player sends Server a number, Server says whether n is less or greater 
than that number. 


Let Tex11 be the tree generated from T(Gex11). There is a TS problem 
at the node corresponding to the recursive definition (let’s call it n3), indeed 
if x < 0, the invariant is not respected. After the first loop of A(Tex11), the 
predicate x > 0 is added in the second interaction, i.e. TSresr,,,,(3) is 
invoked and returns a new tree, say T”..,,, where the second interaction is 
updated to 

Player — Server: {x | x >0} 


Then, the algorithm loops two more times to solve the problems appearing 
before the recursive calls. Assuming nq (resp. n5) is the node corresponding 
to the recursive call in the less (resp. greater) branch. TSres7y | (na) is 
invoked, adding y > 0 in the interaction of the less branch, let’s call this 
new tree T.’,,. The updated interaction is now 


Player — Server: {y | y>0} 


Then, the algorithm invokes TSresyy (ns), which adds z > 0 in the inter- 
action of the greater branch, updating the interaction to 


Player — Server: {z | z>0} 


The global assertion now satisfies temporal satisfiability. 
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4.3. Properties of A 


Similarly to the algorithms © and II of § 3, A does not modify the structure 
of the tree and preserves the properties of the initial assertion. 


Proposition 4 (Underlying Type Structure - A). Let G be a global assertion. 
If A(G) returns G’ then erase(G) = erase(G’) (cf. Definition 8). 


Proof: The proof is by induction on the structure of G, similarly to the 
one of Proposition 2. 


Proposition 5 below guarantees that A does not introduce new HS or 
TS problems. Likewise, Proposition 5 gives a formal account of the informal 
remark in § 3.3, showing that also © and II do not add violations (of either 
HS or TS) to the amended global assertions. 


Proposition 5 (Properties Preservation). Assume F(G) returns G’ with 
F e€ {X,II,A}. If HS(G) = @ then HS(G’) = ©@ and if TS(G) = @ then 
TSG") =O: 


Proof: We first consider HS preservation and then TS preservation for 
F(G) with F € {, I, A}. 

HS preservation. The proof of HS preservation by © and II follows by 
the fact that © and II return G if HS(G) = @. For A, the preservation of 
HS follows from the fact that all the variables which are not known to a 
participant are quantified (either universally or existentially) in the modified 
predicates. We show that all the variables not known to the sender of an 
updated node are quantified. Let T be an assertion tree and yw be the 
predicate lifted at a node n € T such that sndr(n) = s. The predicate is 
quantified as in Definition 14 so to obtain Vz.dy.w such that 


e ZC var(w) \ knows,(T) are introduced in a node in ntp 
e 7 C var(w) are introduced in a node in the subtree rooted at n 


Let z € var(w), (2) if z € Z, by definition, either z is known to s (therefore 
z should not be quantified) or z is introduced after n (hence it would have 
been quantified in 7). (iz) If z ¢ y, by definition, either z is introduced at 
n (therefore known to s) or z is introduced before n. In that case, if it is 
known to s then it should not be quantified, and if it is not known to n, 
then z € &. 
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TS preservation. TS preservation in © follows from the fact that predicates 
may only be changed by a variable substitution. For T = T(G), such that 
TS(G) = 9, we have that, for any n € T 


PRED? (n) D dvarr(n).d 


by definition of TS (Definition 9), with ¢ being the predicate at node n. 
And, by (3.1), we have that 


PRED? (n) D> Jvarr(n).d[v/v"] 


thus, TS is preserved by %. TS preservation in I follows from the fact that 
the predicates of a global assertions are only modified by adding equalities 
between problematic variables and fresh variables (see statement 2b in 
Propostion 3). For T = T(G), such that TS(G) = 9, we have that, for any 
neT 


PRED7(n) D dvarr(n).d (4.1) 


by definition of TS, with ¢ being the predicate at node n. And, by construc- 
tion of <;-chain, after each modification by II, we obtain 


PREDr(n) Av = 9p A... A ve = U¢-1 D JAvarr(n).d[uz/v] 


with vp...v, fresh. This is equivalent to (4.1), ie. TS is preserved by II. 
The proof of TS preservation for A follows trivially from the first case of 
Definition 15. 

Proposition 6 establishes an intermediate result for the correctness of 
A. It says that a successful invocation of TSres (cf. Definition 14) on a node 
removes the problem at that node. 


Proposition 6 (Correctness - TSres). Let T be an assertion tree. For each 
n€TS(T) such that TSresr(n) 4 L, then n ¢ TS(TSresr(n)). 


Proof: We start by giving the proof of the correctness for interaction 
nodes. Let T be an assertion tree with a node n such that n € TS(T), and 


n=s—r:{i | v} 


with wy <— > 6BA+7¥ such that 6 is in conflict on var(n) with y in PRED7(n). 
Then £ is the predicate to be lifted. Assume T = buildr (n, 8). 
By Definition 13, we have that, for suitable Z1, 7... Zk, Yk, 


PRED (7) = PRED7(n) AV@1.5 91.0 A... A VEE-AiR-6 (4.2) 
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We have that a quantified version of 6 is added k times in the assertion tree, 
above n. We show that 


\ Vi;.4y;.8 D 3w.B (4.3) 


1<i<k 


Assume that each VZ;.4y;.8 corresponds to the predicate added to the i” 
node (n;) modified by TSres (from the root to n). Then % = UN var({) 
since by Definition 13 y is the set of variables introduced after nz, and 
we assumed that the global assertion is closed (i.e. all the variables var(() 
have been introduced before they are used, in n). Since every V%;.4y;.0 is 
satisfiable by Definition 13, we have that the following holds 


ZNEp AY, 6 with Z= var(VEr.Ayp-B) 


this gives us (4.3) (note that 7, #, and 7%, are pairwise disjoints by definition). 
Since Viz.dyp.8 is one of the conjunct of PREDs(n) we also have 


PRED; (n) > Jv.B (4.4) 


By the definition of conflict (Definition 12), we have that PREDr(n) D 
40.7 and PREDr(n) Z 4v.8 A ¥ (hence, PRED?(7) is satisfiable). Therefore, 
by weakening, we have that 


PRED ;(n) > Av-y (4.5) 


TS must hold for n, which implies that n ¢ TS(T’) and TSnode,(n) 
holds, i.e. 


PRED a(n) > Jv. (with » — BA) 
Otherwise, that would imply that 
PRED a(n) A Vi.(38 V 77) 
which is in contradiction with (4.4) (8) and (4.5) (7). 


Let’s now show the result for recursive nodes, which is somewhat similar 
to the previous case. Assume we have 


n= pt (e){v | B} 
with n € TS(T), thus we have that (by Definition 9) 


PRED?(n) D Ble/v] (4.6) 
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Assuming T = buildy (n, 6[@/d]) (ie. build succeeds), we have that a 
quantified version of 3[é/v] is added k& times in the assertion tree, above n. 
Following a similar argument as before, this gives us 

PRED a(n) = PRED?(n) A 6[é/3 (4.7) 


By Definition 13, we also know that 3[€/d] is satisfiable, and by Definition 11 
and (4.6), PRED7(7) is satisfiable. 
Since 


PRED@(n) D> B@/t] <> PREDr(n) A B[é/8] > Blé/a] 


we have that n ¢ TS(T). 
Finally, we can say that, if a repeated application of lifting succeeds, 
the global assertion which is returned satisfies temporal satisfiability. 


Theorem 2 (Correctness - A). If A(G) = GQ’ then TS(G’) = @. 


Proof: The proof is by induction on the number of problematic nodes and 
the minimum depth of these nodes in the tree. It relies on Proposition 6, i.e. 
the fact that TSresy(n) either solves the problem at n or fails. 

Let T = T(G) and N be the set of nodes in T which violates TS. We 
write |n| for the depth of n in T (with |T*| = 0), and we denote by N’ the 
number of problematic node after an invocation to TSres. 


1. If N = @, then T is TS. 


2. If N # ©, let n € TS(T) C N, after an invocation to TSresr(n), we 
have 


(a) If |n| > 1 then either 


i. N’ := N \ {n}, ie. the node is simply removed from the set 
of problematic nodes, 

ii. N’:= NUN, \{n}, where N, is the set of problematic nodes 
added by TSres. We have that Vni, € N,.|ni| < |n|, ie. the 
problem at n is solved but other problematic nodes, above n 
in T, are added, or, 

iii. the algorithm fails on n 


(b) If |n| < 1 then either N’ := N \ {n}, or the algorithm fails. In 
fact, once the algorithm reaches a problem located at a child of 
the root, then it either fails or solves the problem. Indeed, there 
cannot be a TS problem at the root node unless the predicate is 
unsatisfiable (see Definition 9), in which case, the algorithm fails. 
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Note that selecting n € TS(T’) implies that the depth of n is smaller or 
equal to the depth of the nodes in N. 


It can be shown by induction that the algorithm terminates either with 
TS(T) = 2, or a failure. 

Regarding step 2(a)ii, note that the algorithm cannot loop on a prob- 
lematic node indefinitely. Indeed, the number of (sub)predicates available 
for lifting is finite, and A invokes TSres only when a problematic node is 


found. 
In addition, we have that A preserves the domain of possible values for 
each variable from the initial assertion. 


Proposition 7 (Assertion predicates). If A(G) = G’ then for all n € T(G) 
such that n is a leaf, and its corresponding node n' € T(G’) 


PRED7(g)(72) A estq(g)(n) <=> PREDq(g1(n’) A estqgr)(n’) 


Proof: The proof follows from the observation that predicates are only 
duplicated in the tree, i.e. the lifting algorithm does not add any new 
constraints in the conjunction of the predicates found on the path from the 
root to a leaf. In addition, the algorithm modifies only predicates which 
appear above a problematic node in the tree (i.e. a predicate in a leaf will 
never be modified, by Definition 13). 

We show the result for interaction nodes, the case for recursive nodes is 
similar. After each successful iteration of A on an assertion tree T = T(GQ), 
where 

PREDr(n) =W1A...AWiA... AVE 


and yw, is the predicate where the TS problem is located, and £ is the lifted 
predicate (cf. proof of Proposition 6), such that we have, by Definition 12 


Wi —> BAY (4.8) 
We can then rewrite PRED?(n) as 
PRED7(n) = Wp A...AYABA...A WE 


build returns a new tree 7” such that the conjunction of predicates in the 
new tree is of the form 


PRED (n’) = PRED?(n) A /\ Wee}5yj-8 (4.9) 
jet 


Three Algorithms and a Methodology for 
Amending Contracts for Choreographies 95 


By Definition 13, we have 7; yj C var(), for all 7 € J. Therefore, we have 


PI Viay;.8 toraliew (4.10) 


This means that the additional predicates do not constrain further the 
conjunction of predicates, and we have 


PRED; (n) <> PRED7’(n’) 


5 <A Methodology for Amending Choreographies 


The algorithms %, H, and A in § 3 and § 4 can be used to support a 
methodology for amending contracts in choreographies. The methodology 
consists of the following steps: 


(i) the architect designs a choreography G 
(it) the architect is notified if there are any HS or TS problems in G 


(i7i) using © and II solutions may be offered for HS problems, while A can 
be used to offer solutions and/or hints on how to solve TS problems 


(iv) the architect selects one of the solutions offered in (i772) 
(v) steps (zi) to (v) are repeated until all problems are addressed. 


We show our methodology using the following global assertion: 


G = pt (10){v | v > 0}. 
Alice > Bob: {vu | v> v1}. 
Bob — Carol: {v2 | v2 > v1}. 
Carol — Alice: {v3 | v3 > vy}. 
Carol > Bob: {v4 | v4 > v}. 
Alice — Bob: {true} cont : t(v1), 
{true} finish : Alice + Bob: {v5 | vy <u5 < v3 — 2} 


which extends the global assertion in Example 4 and is supposed to be 
designed by the architect (step (i) of the methodology). 

Firstly, G is inspected by history sensitivity and temporal satisfiability 
checkers, such as the ones described in [9]. If any HS problems are reported 
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(step (27) of the methodology), algorithms © and II are used, while A is used 
for TS problems. This allows the architect to detect all the problems and 
to consider the ones for which (at least) one of the algorithms is applicable. 
In general, the architect can decide which problem to tackle first (step (#77) 
of our methodology). For G, we focus on HS problems first. There are 
two HS problems in G , both of which can be solved automatically, and the 
methodology will return that 


1. At line 4, v; is not known by Carol; the problem is solvable by either 


e replacing v3 > v1 by v3 > v2 (algorithm ©) at line 4, or 


e by revealing v; to Carol (algorithm IJ); in this case, line 3 becomes 
Bob — Carol: {v2 U1 | vg > vy AN Uy = v1} 
and the predicate at line 4 becomes v3 > wy. 


2. At line 5, v is not known by Carol; the problem is solvable by revealing 
the value of v to Carol (algorithm IT) in which case line 3 becomes 


Bob — Carol: {v2 ug | v2 > v1, Aug =v} 
and the assertion at line 5 becomes v4 > ua. 


In the propagation case (i.e., IL), the methodology gives the architect in- 
formation on which participants the value of a variable may be disclosed 
to. Indeed, as discussed in Remark 4, it may not be appropriate to use the 
suggested solution. Therefore, the actual adoption of the proposed solutions 
should be left to the architect. In addition, the order in which problems are 
tacked is also left to the architect (e.g., the same variable may be involved in 
several problems and solving one of them may automatically fix the others). 
Assuming that © is used to solve the first problem and II to solve the second, 
the first five lines of the new global assertion are those in Example 7 and 
HS is fixed. Now HS is satisfied in G , but TS problems are still present. 

In case a TS problem cannot be solved automatically, additional infor- 
mation can be returned: (a) at which node the problem occurred, (b) which 
variables or recursion parameters are posing problems (i.e. using split and 
build), and (c) where liftings are not possible (i.e. when build fails to add 
a satisfiable predicate to a node). For G there are two TS problems which 
are dealt with sequentially. The methodology would report that 
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1. At line 6, v1 does not satify the invariant v > 0. This can be solved 
by lifting v1 > 0 (i.e. the invariant where v is replaced by the actual 
parameter v;) to the interaction at line 2, which would yield the new 
predicate v > v1 A v1 > 0. 


2. At line 7, there might be no value for vs such that vy < vs < v3—2. The 
assertion is in conflict (cf. Definition 12) with the previous predicates; 
this problem cannot be solved since lifting would add the following 
predicates in line 2 and 4, respectively. 


e v3, 05.0, < U5 < v3—2 which is indeed satisfiable, but remarkably 
does not constraint v7 more than the initial predicate. Indeed, 
the updated predicate (i.e. v > v1 Adv3, U5.01 < U5 < v3 — 2) does 
not constrain v; more than the original predicate, v > v1. 


e Vvy.du5.u1 < u5 < v3 — 2 which is not satisfiable, therefore the 
algorithm fails. 


The failure of A is due to the fact that vs is constrained by v; and v3 which 
are fixed by two different participants. They would have to somehow interact 
in order to guarantee that there exists a value for vs, this cannot be done 
using the proposed algorithms. Notice that in this case the methodology 
tells the architect that vs, fixed by Alice, is constrained by v1 and v3 which 
are fixed by Alice and Carol, respectively. Our approach can also suggest 
that the node introducing v3, or (the part of) the assertion over v3 may be 
the source of the problem since v3 is the only variable not known by Alice. 


5.1 Amendment Strategies 


The methodology above does not specify any particular order for tackling 
HS and TS problems. In fact, it is for the architect to assess the importance 
of each problem; furthermore, (s)he should also proof-read the proposed 
solutions (e.g. in the case of propagation). One of our future work plans is 
to help the architect making choice regarding the order in which problems 
should be tackled by designing amendment strategies, which maximise the 
chances of having all problems solved using the proposed algorithms. 

In fact, the application of an algorithm could be spoiled by the appli- 
cation of another one. For instance, the application of the strengthening 
algorithm (©) might compromise the applicability of the lifting algorithm 
(A), and vice versa. This happens when a variable v introduced by © ina 
node (say n) to solve an HS problem is also involved in a TS problem, in 
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a descendant node (say n’) of n; indeed, both © and A will independently 
strengthen the predicate of n. This may compromise the application of the 
algorithm invoked last, as illustrated below. 

Let T be an assertion tree, where there are n,n’ € T such that 
varHS7(n) 4 @, n’ is a descendant of n, 

n=s—>r:{t, vv | v} and n=s'>r': {a | yA 6} 
where v € var(@), and is in conflict on @ with y in PRED7(n’). 

e if © is used to solve the problem at n, ~ might be strengthened (by 
variable substitution) 


e if A is used to solve the problem at n’, 3 will be lifted to the node n 
since v € var(). 


Call y the new predicate produced by © and w2 the one produced by A. 
The application of %: would generate 


n=sor:{t, vt, | vi} 


which might prevent the application of A because e.g., Wy, A VZ.dy.8 is not 
satisfiable, for suitable Z and 7. Likewise, the application of A first would 
generate 

n=s xr: {t, vd. | Yo} 


for which © might not be applicable because e.g., no substitution with a 
variable known to s yields a satisfiable predicate for n. 

We conjecture that this is the only source of issue arising from the 
absence of prescribed order for addressing HS and TS problems in the 
methodology. Intuitively, the only way one algorithm could spoil the ap- 
plicability of another is by modifying the satisfiability of a predicate of (at 
least) one common node. Propagation (II) preserves the semantics of all 
the nodes it updates (by Propostion 3); instead, © and A may strengthen 
predicates. Note that % modifies only the node in which there is an HS 
problem, while A updates only the nodes above the TS-problematic one. 
Therefore, the only possible issue occurs when there is a node with an HS 
problem “above” another, with a TS problem. Since A modifies only the 
nodes that introduce variables which appear in a problematic predicate, we 
conjecture that this happens only in the case explained above. Note that 
even though an occurrence of two inter-dependent TS and HS problems as 
above may compromise the applicability of an algorithm, thus preventing 
the amendment of existing problems, it will not introduce new violations, as 
stated in Proposition 5. 
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Figure 1: ATM protocol 


6 Applying the Methodology 


To illustrate our methodology, we consider the design of a couple of services 
offered by an ATM to the customers of the bank where it is located. The 
first service offers cash withdrawal. The second service allows customers to 
request a small line of credit, provided that they are considered trusted by 
the bank. We propose two global assertions for each of the two functionalities 
and discuss problems which may be encountered during their design. 


6.1 Cash Withdrawal 


Consider the following global assertion, also illustrated in Figure 1, where C 
is the customer, A is the ATM, and B is the bank. 


C—+A:{num req | req > O}. 

A+B: {num' red | num = num’ A req = req}. 

B— A:{true} ok: AC: {true} ok: A—>C:{a | a=req}, 
{true} ko: AC: {true} ko: AC: {msg | true} 


This global assertion models a simple cash withdrawal service under the 
assumption that the credentials of the customer have already been verified. 
The customer sends the ATM an account number num and the amount of 
money to withdraw req. The ATM forwards the request to the bank. If the 
withdrawal is accepted, the bank selects branch ok; in this case the ATM 
gives the corresponding amount to the customer. Otherwise, the bank selects 
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branch ko and ATM sends an error message to the customer. 

This global assertion is well-asserted, but soon the architect realises 
that it contains a major flaw: the ATM is expected to give money to the 
customer even when there is not enough cash available in the machine. The 
architect corrects the problem by adding a predicate a < CASH in the third 
line, where CASH is the money available at the beginning of the session: 


C—A:{num req | req > O}. 

A+B: {num’ red’ | num = num! A req = req}. 

B— A:{true} ok: A—>C: {true} ok: A> C:{a | a=reqA a< CASH}, 
{true} ko: AC: {true} ko: A> C: {msg | true} 


Although this solves the flaw, a temporal satisfiability issue is introduced 
in the third line. In fact, A cannot guarantee its obligation if the amount 
requested req in the first interaction is greater than the cash available. 

Fortunately, A is applicable and it can amend the global assertion 
automatically by returning the choreography below 


C>A:{num req | req >O0Ada.a=reqA a< CASH}. 

A+B: {num’ red | num = num! A req = req}. 

B— A:{true} ok: A—>C: {true} ok: A>C:{a | a=reqA a< CASH}, 
{true} ko: AC: {true} ko: A> C: {msg | true} 


which is well-asserted. 


6.2 Credit Request 


We now want to model a service through which a customer can request a 
small line of credit. The intuition of the protocol is illustrated in Figure 2. 
The customer C sends his/her account number num and the requested credit 
ato the ATM. The ATM forwards the request to the bank and, depending 
whether or not C is elegible for the credit according to the bank’s records 
(i.e., elegible(num, a)), the bank selects either branch ok or ko. Finally, 
the ATM sends a message to the customer notifying his/her of the decision. 


Remark 9. For simplicity, we use branch mergeability /13/, a slight exten- 
sion of multiparty session types. Otherwise, it would be necessary to add 
an extra branch in the inner branching between A and C to have the same 
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Figure 2: Credit request protocol 


behaviour of C in both branches of the outer branching. Note that this does 
not affect the applicability of our methodology. 


A naive global assertion modelling this service is as follows: 


C—>A:{numa | true}. 

A+B: {num a’ | num=num' Aa=a'}. 

B— A: {elegible(num,a)} ok: A> C:{msg | true}, 
{true} ko: A-+C: {msg | true} 


The attentive reader will notice that there is an HS problem at line 4 
of this global assertion. Indeed, B does not know num’ nor a’ and therefore 
could not guarantee that the customer is in fact elegible. Both © and II 
algorithms are applicable here. The second algorithm would return the 
following global assertion: 


C—+A:{numa | true}. 
A>B:{num' da’ v1 v2 | num =num' Aa=a' Av, = num A v2 = a}. 
B— A: {elegible(vi,v2)} ok: A> C: {msg | true}, 

{true} ko: A>+C:{msg | true} 


Although this solves the problem, we notice that this solution is not ideal. 
Indeed v, and v2 are somewhat redundant with num’ and a’, respectively. 


Strengthening gives us a better solution in this case: 
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C—>A:{numa | true}. 

A+B: {num' a’ | num=num' A\a=a'}. 

BA: {elegible(num’,a’)} ok: A>C: {msg | true}, 
{true} ko: AC: {msg | true} 


Which is what one would expect. Note that the algorithm is applicable 
because 


num = num! \a=a' \elegible(num’,a’) > elegible(num, a) 


holds and B knows num’ and a’. 


7 Conclusions 


In this paper, we investigated the problem of designing consistent assertions. 
We focused on two consistency criteria from [3]: history sensitivity and 
temporal satisfiability. We proposed and compared three algorithms (%, 
II, and A) to amend global assertions. Since each algorithm is applicable 
only in certain circumstances, we proposed a methodology that supports the 
architect when violations are not automatically amendable. 

On the theoretical side, the algorithms %, II, and A address the general 
problem of guaranteeing the satisfiability of predicates when: (1) the parts of 
the system have a different perspective/knowledge of the available informa- 
tion (in the case of history sensitivity), and (2) the constraints are introduced 
progressively (in the case of temporal satisfiability). The proposed solutions 
can be adapted and used, for instance, to amend processes (rather than 
types), orchestrations (rather than choreographies, when we want to check for 
local constraints) expressed in formalisms such as CC-Pi [5], a language for 
distributed processes with constraints. Interestingly, temporal satisfiability 
is similar to the feasibility property in [2] requiring that any initial segment 
of a computation must be possibly extended to a full computation to prevent 
“a scheduler from ‘painting itself into a corner’ with no possible continuation” . 
An interesting future development is to investigate more general accounts 
of satisfiability which is applicable to different scenarios. In scope of future 
work, we will design amendment strategies to so to refine our methodology 
and maximise the applicability of the proposed algorithms (see Section 5.1). 

We will also study the applicability of our methodology in more realistic 
cases in order to assess the quality of the solutions offered by our algorithms. 
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We plan to implement our algorithms and support for the methodology 


by integrating it in the tool introduced in [9]. 
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